The underlying mechanism of American democracy--the U.S. election system--has been under attack by foreign hackers. Special Counsel Robert Mueller last week indicted 12 Russian intelligence officers accused of interfering in the 2016 U.S. presidential election.
While the Russians are charged with hacking the Democratic National Committee and Hillary Clinton's campaign, the Department of Homeland Security found that hackers also targeted election systems in 21 states, including battleground states such as Pennsylvania, Virginia, and Florida. And while Congress approved $380 million in grant money for state election officials to upgrade their cybersecurity posture, many American states are ill- equipped to defend against cyberwar waged by nation states.
That's why Cloudflare, a San Francisco-based cybersecurity company, is offering its services free to state and county government websites that support elections, report election results, host voter registration services, and poll location information.
"U.S. elections are local--it can come down to individual people in small counties to make sure the voting is successful," says Matthew Prince, co-founder of Cloudflare. "These are patriotic heroes and they feel alone and under-resourced. Some election officials feel like it's them against the entire Russian hacking army."
Prince says the program, which is called the Athenian Project, has been deployed in some 20 states so far. Cloudflare usually protects big enterprise clients like NASDAQ and Cisco, but Prince says his company's software was used by every presidential candidate--from Bernie Sanders to Donald Trump--in the 2016 election. Every candidate but Hillary Clinton.
Prince says Cloudflare helped protect Alabama's election websites against waves of attacks during the fiercely contested special election to replace Senator Jeff Sessions, which was won by Democrat Doug Jones over Republican Ray Moore. Hackers waged DDoS attacks on voter registration sites and tried to attack sites that report poll results. "They are trying to disrupt the confidence of the election process," says Prince. "The attacks that occurred were less about supporting a candidate and more about attacking the confidence in the system itself."
As the country heads to the 2018 midterm elections, officials nationwide are trying to shore up websites to prevent cyberattacks from interfering with the democratic process. U.S. voting machines are not connected to the internet, so hackers aren't trying to manipulate the vote count. Instead, they are trying to sow chaos and confusion by attacking the internet-connected sites that support elections, like voter registries. Idaho adopted Cloudflare's technology earlier this year ahead of the state's primary elections. Chad Houck, Idaho's deputy secretary of state, says his agency measured the traffic to Idaho's central voting registration website during the weeks before the primaries and found the program was blocking about 250 suspicious requests to connect to the site's server each day. About three days before the election, the software blocked 27,000 such requests. That same day, two other government websites that were not protected were overtaken by hackers and defaced.
"It is critical that state legislators, who are in control of state or federal funding, know that there is a real and ongoing threat in this space. Things are happening. They need to do their best to make funds available to states to help defend themselves," says Houck.
Idaho got $3.2 million from the U.S. Election Assistance Commission, but Houck says the state hasn't deployed any funds yet, as officials are still discussing how they should revamp the state's election security.
Cloudflare is not the only company to offer pro bono cyber security services. Google, through its program Google Shield, offers a similar program. Synack conducts free penetration testing for state and county voter registration sites, and Centrify offers identity management to election agents.
Joseph Hall, a chief technologist and director at the nonprofit Center for Democracy and Technology, who started studying election security in 2002, says election security varies wildly from state to state and county to county. "It's a mixed bag. Some jurisdictions have big budgets and dedicated information-security staff to manage elections, but then there are little counties without many resources," says Hall.
While companies like Cloudflare are certainly doing something positive, Prince put his company's effort into context: "There are more than 8,500 different election jurisdictions that are required to pull off democracy," he says. "We are working with 72."